MID-8426 fixed display of sensitive jvm options on about page

Evolveum · Dec 21, 2022 · 17481c0 · 17481c0
1 parent c868a4d
commit 17481c0
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 37 deletions.
diff --git a/...admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageAbout.java b/...admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageAbout.java
@@ -7,55 +7,33 @@
 
 package com.evolveum.midpoint.web.page.admin.configuration;
 
-import java.io.Serializable;
-import java.lang.management.ManagementFactory;
-import java.lang.management.RuntimeMXBean;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-import java.util.concurrent.TimeUnit;
-import javax.xml.namespace.QName;
-
 import com.evolveum.midpoint.authentication.api.authorization.AuthorizationAction;
 import com.evolveum.midpoint.authentication.api.authorization.PageDescriptor;
 import com.evolveum.midpoint.authentication.api.authorization.Url;
-import com.evolveum.midpoint.gui.impl.page.login.PageLogin;
-import com.evolveum.midpoint.security.api.*;
 import com.evolveum.midpoint.authentication.api.util.AuthConstants;
 import com.evolveum.midpoint.authentication.api.util.AuthUtil;
-import com.evolveum.midpoint.web.component.dialog.DeleteConfirmationPanel;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemObjectsType;
-
-import org.apache.catalina.util.ServerInfo;
-import org.apache.commons.lang3.StringUtils;
-import org.apache.wicket.RestartResponseException;
-import org.apache.wicket.ajax.AjaxRequestTarget;
-import org.apache.wicket.markup.html.basic.Label;
-import org.apache.wicket.markup.html.list.ListItem;
-import org.apache.wicket.markup.html.list.ListView;
-import org.apache.wicket.model.IModel;
-import org.apache.wicket.model.PropertyModel;
-import org.springframework.beans.factory.annotation.Autowired;
-
 import com.evolveum.midpoint.gui.api.model.LoadableModel;
 import com.evolveum.midpoint.gui.api.util.WebComponentUtil;
 import com.evolveum.midpoint.gui.api.util.WebModelServiceUtils;
+import com.evolveum.midpoint.gui.impl.page.login.PageLogin;
 import com.evolveum.midpoint.init.InitialDataImport;
+import com.evolveum.midpoint.init.StartupConfiguration;
 import com.evolveum.midpoint.model.api.ModelPublicConstants;
-import com.evolveum.midpoint.repo.common.SystemObjectCache;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.query.NotFilter;
 import com.evolveum.midpoint.prism.query.ObjectFilter;
 import com.evolveum.midpoint.prism.query.QueryFactory;
 import com.evolveum.midpoint.prism.query.TypeFilter;
 import com.evolveum.midpoint.repo.cache.RepositoryCache;
+import com.evolveum.midpoint.repo.common.SystemObjectCache;
 import com.evolveum.midpoint.schema.LabeledString;
 import com.evolveum.midpoint.schema.ProvisioningDiag;
 import com.evolveum.midpoint.schema.RepositoryDiag;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.security.api.AuthorizationConstants;
+import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.util.Producer;
@@ -64,11 +42,32 @@
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.web.component.AjaxButton;
+import com.evolveum.midpoint.web.component.dialog.DeleteConfirmationPanel;
 import com.evolveum.midpoint.web.component.dialog.Popupable;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.NodeType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemObjectsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
 
+import org.apache.catalina.util.ServerInfo;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.wicket.RestartResponseException;
+import org.apache.wicket.ajax.AjaxRequestTarget;
+import org.apache.wicket.markup.html.basic.Label;
+import org.apache.wicket.markup.html.list.ListItem;
+import org.apache.wicket.markup.html.list.ListView;
+import org.apache.wicket.model.IModel;
+import org.apache.wicket.model.PropertyModel;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import javax.xml.namespace.QName;
+import java.io.Serializable;
+import java.lang.management.ManagementFactory;
+import java.lang.management.RuntimeMXBean;
+import java.util.*;
+import java.util.concurrent.TimeUnit;
+import java.util.stream.Collectors;
+
 /**
  * @author lazyman
  */
@@ -77,10 +76,10 @@
                 @Url(mountUrl = "/admin/config/about", matchUrlForSecurity = "/admin/config/about")
         },
         action = {
-        @AuthorizationAction(actionUri = AuthConstants.AUTH_CONFIGURATION_ALL,
-                label = AuthConstants.AUTH_CONFIGURATION_ALL_LABEL, description = AuthConstants.AUTH_CONFIGURATION_ALL_DESCRIPTION),
-        @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_CONFIGURATION_ABOUT_URL,
-                label = "PageAbout.auth.configAbout.label", description = "PageAbout.auth.configAbout.description") })
+                @AuthorizationAction(actionUri = AuthConstants.AUTH_CONFIGURATION_ALL,
+                        label = AuthConstants.AUTH_CONFIGURATION_ALL_LABEL, description = AuthConstants.AUTH_CONFIGURATION_ALL_DESCRIPTION),
+                @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_CONFIGURATION_ABOUT_URL,
+                        label = "PageAbout.auth.configAbout.label", description = "PageAbout.auth.configAbout.description") })
 public class PageAbout extends PageAdminConfiguration {
     private static final long serialVersionUID = 1L;
 
@@ -277,9 +276,11 @@ protected void populateItem(ListItem<LabeledString> item) {
             protected String load() {
                 try {
                     RuntimeMXBean runtimeMxBean = ManagementFactory.getRuntimeMXBean();
-                    List<String> arguments = runtimeMxBean.getInputArguments();
+                    final List<String> arguments = runtimeMxBean.getInputArguments();
+
+                    final List<String> updatedArguments = arguments.stream().map(a -> escapeJVMArgument(a)).collect(Collectors.toList());
 
-                    return StringUtils.join(arguments, "<br/>");
+                    return StringUtils.join(updatedArguments, "<br/>");
                 } catch (Exception ex) {
                     return PageAbout.this.getString("PageAbout.message.couldntObtainJvmParams");
                 }
@@ -291,6 +292,20 @@ protected String load() {
         initButtons();
     }
 
+    private String escapeJVMArgument(String argument) {
+            boolean matches = StartupConfiguration.SENSITIVE_CONFIGURATION_VARIABLES.stream().anyMatch(p -> argument.startsWith("-D" + p));
+            if (!matches || StartupConfiguration.isPrintSensitiveValues()) {
+                return argument;
+            }
+
+            int index = argument.indexOf("=");
+            if (index < 0) {
+                return argument;
+            }
+
+            return argument.substring(0, index) + "=" + StartupConfiguration.SENSITIVE_VALUE_OUTPUT;
+    }
+
     private void addLabel(String id, String propertyName) {
         Label label = new Label(id, new PropertyModel<String>(repoDiagModel, propertyName));
         label.setRenderBodyOnly(true);
@@ -550,7 +565,7 @@ private void resetStateToInitialConfig(AjaxRequestTarget target) {
         try {
             QName type = ObjectType.COMPLEX_TYPE;
             taskOid = deleteObjectsAsync(type, factory.createQuery(
-                    factory.createAnd(notTaskFilter, notNodeFilter)),
+                            factory.createAnd(notTaskFilter, notNodeFilter)),
                     taskName, result);
 
         } catch (Exception ex) {

diff --git a/repo/system-init/src/main/java/com/evolveum/midpoint/init/StartupConfiguration.java b/repo/system-init/src/main/java/com/evolveum/midpoint/init/StartupConfiguration.java
@@ -54,11 +54,15 @@ public class StartupConfiguration implements MidpointConfiguration {
 
     private static final Trace LOGGER = TraceManager.getTrace(StartupConfiguration.class);
 
-    private static final List<String> SENSITIVE_CONFIGURATION_VARIABLES = Arrays.asList(
+    public static final List<String> SENSITIVE_CONFIGURATION_VARIABLES = Arrays.asList(
             "jdbcPassword",
-            "keyStorePassword"
+            "keyStorePassword",
+            "midpoint.repository.dataSource",
+            "midpoint.repository.jdbcUrl",
+            "midpoint.repository.jdbcUsername",
+            "midpoint.repository.jdbcPassword"
     );
-    private static final String SENSITIVE_VALUE_OUTPUT = "[*****]";
+    public static final String SENSITIVE_VALUE_OUTPUT = "[*****]";
     // For troubleshooting, enables like this: -Dmidpoint.printSensitiveValues
     private static final boolean PRINT_SENSITIVE_VALUES =
             System.getProperty("midpoint.printSensitiveValues") != null
@@ -315,6 +319,10 @@ private String valuePrintout(String key, Object value) {
                 : SENSITIVE_VALUE_OUTPUT;
     }
 
+    public static boolean isPrintSensitiveValues() {
+        return PRINT_SENSITIVE_VALUES;
+    }
+
     private String readFile(String filename) throws IOException {
         Path filePath = Path.of(filename.replace("${midpoint.home}", midPointHomePath))
                 .toAbsolutePath(); // this provides better diagnostics when the file is not found